Hi All,
I suppose I hit this bug: https://bugs.archlinux.org/task/68963 and it
seems it is not fully resolved. I didn't request to reopen the bug,
because I'm not 100% sure it is really the same thing.
I have a setup with kerberos/sssd/pam/autofs, authenticating with an
active directory, and cifs mounts stopped working.
Login and nfs with kerberos work fine, to the issue is quite likely with
cifs.
Mounting the cifs share works with libcap-ng-0.8-1, but not with
libcap-ng-0.8.2-1.
I have cifs-utils 6.11-2, sssd 2.4.0-2 and krb5 1.18.2-1.
Did I miss something or am I hitting something special due to the setup?
Does anybody have a clue what could be the issue?
I include lots of details about the config and logs, but tl;dr:
"mount -t cifs -o
domain=DOM,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0
//nas.example.com/theUser /nas/home/theUser"
fails with
"cifs.upcall[532824]: drop_all_capabilities: Unable to apply capability
set: Success"
Best,
Tasnad
Substituted values
==================
* myMachine: the client's hostname (not fqdn)
* theUser: the nonroot user trying to mount via autofs
* 1234567: uid of theUser (from Active directory)
* DOM: the AD domain
* DOM.EXAMPLE.COM: domain, fqdn
/etc/krb5.conf
==============
[libdefaults]
default_realm = DOM.EXAMPLE.COM
udp_preference_limit = 0
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 10h
renew_lifetime = 7d
forwardable = true
sssd.conf
=========
[sssd]
config_file_version = 2
domains = DOM.EXAMPLE.COM
services = nss, pam
[nss]
default_shell = /bin/bash
shell_fallback = /bin/bash
filter_groups = root
filter_users = root
[domain/DOM.EXAMPLE.COM]
id_provider = ad
auth_provider = ad
access_provider = simple
ldap_schema = ad
sudo_provider = none
cache_credentials = false
krb5_store_password_if_offline = false
dyndns_update = false
ldap_id_mapping = false
use_fully_qualified_names = false
enumerate = false
ignore_group_members = true
case_sensitive = preserving
ad_enable_gc = false
ad_hostname = myMachine
ldap_search_base = [...]
ldap_user_search_base = [...]
ldap_user_search_scope = [...]
ldap_group_search_base = [...]
ldap_group_search_scope = [...]
nsswitch.conf
=============
passwd: files sss
group: files sss
shadow: files sss
gshadow: files sss
publickey: files
hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
networks: files
protocols: files
services: files sss
ethers: files
rpc: files
netgroup: files sss
automount: sss
homes.autofs
============
/nas/home /etc/autofs/auto.master.d/home.map
-domain=DOM,fstype=cifs,sec=krb5,soft,noserverino,cifsacl
home.map
========
* -username=$USER,cruid=$UID,vers=3.0 ://nas.example.com/&
cifs idmap plugin
============
/etc/cifs_utils/idmap-plugin -> /usr/lib/cifs-utils/cifs_idmap_sss.so
klist
=====
Ticket cache: FILE:/tmp/krb5cc_<uid>
Default principal: theUser@xxxxxxxxxxxxxxx
Valid starting Expires Service principal
12/16/2020 11:31:48 12/16/2020 21:25:18
krbtgt/DOM.EXAMPLE.COM@xxxxxxxxxxxxxxx
renew until 12/23/2020 11:25:18
automount -fd
=============
handle_packet: type = 3
handle_packet_missing_indirect: token 727, name theUser, request pid 532818
attempting to mount entry /nas/home/theUser
lookup_mount: lookup(file): looking up theUser
lookup_mount: lookup(file): theUser ->
-username=$USER,cruid=$UID,vers=3.0 ://nas.example.com/&
parse_mount: parse(sun): expanded entry:
-username=theUser,cruid=1234567,vers=3.0 ://nas.example.com/theUser
parse_mount: parse(sun): gathered options:
domain=DOM,fstype=cifs,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0
parse_mount: parse(sun): dequote("://nas.example.com/theUser") ->
://nas.example.com/theUser
parse_mount: parse(sun): core of entry:
options=domain=DOM,fstype=cifs,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0,
loc=://nas.example.com/theUser
sun_mount: parse(sun): mounting root /nas/home, mountpoint theUser, what
//nas.example.com/theUser, fstype cifs, options
domain=DOM,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0
do_mount: //nas.example.com/theUser /nas/home/theUser type cifs options
domain=DOM,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0
using module generic
mount_mount: mount(generic): calling mkdir_path /nas/home/theUser
mount(generic): calling mount -t cifs -o
domain=DOM,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0
//nas.example.com/theUser /nas/home/theUser
>> mount error(126): Required key not available
>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and
kernel log messages (dmesg)
mount(generic): failed to mount //nas.example.com/theUser (type cifs) on
/nas/home/theUser
dev_ioctl_send_fail: token = 727
failed to mount /nas/home/theUser
journalctl
==============
kernel: CIFS: fs/cifs/cifsfs.c: Devname: //nas.example.com/theUser flags: 0
kernel: CIFS: fs/cifs/connect.c: Domain name set
kernel: CIFS: fs/cifs/connect.c: Username: theUser
kernel: CIFS: fs/cifs/connect.c: file mode: 0755 dir mode: 0755
kernel: CIFS: fs/cifs/connect.c: VFS: in mount_get_conns as Xid: 684
with uid: 0
kernel: CIFS: fs/cifs/connect.c: UNC: \\nas.example.com\theUser
kernel: CIFS: fs/cifs/connect.c: Socket created
kernel: CIFS: fs/cifs/connect.c: sndbuf 16384 rcvbuf 131072 rcvtimeo 0x834
kernel: CIFS: fs/cifs/connect.c: Demultiplex PID: 532823
kernel: CIFS: fs/cifs/fscache.c: cifs_fscache_get_client_cookie:
(0x000[...]8/0x0000[...]d)
kernel: CIFS: fs/cifs/connect.c: VFS: in cifs_get_smb_ses as Xid: 685
with uid: 0
kernel: CIFS: fs/cifs/connect.c: Existing smb sess not found
kernel: CIFS: fs/cifs/smb2pdu.c: Negotiate protocol
kernel: CIFS: fs/cifs/transport.c: Sending smb: smb_len=106
kernel: CIFS: fs/cifs/connect.c: RFC1002 header 0xfa
kernel: CIFS: fs/cifs/smb2misc.c: SMB2 data length 122 offset 128
kernel: CIFS: fs/cifs/smb2misc.c: SMB2 len 250
kernel: CIFS: fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0
state=4
kernel: CIFS: fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
kernel: CIFS: fs/cifs/smb2pdu.c: mode 0x1
kernel: CIFS: fs/cifs/smb2pdu.c: negotiated smb3.0 dialect
kernel: CIFS: fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
kernel: CIFS: fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
kernel: CIFS: fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
kernel: CIFS: fs/cifs/connect.c: Security Mode: 0x1 Capabilities:
0x300057 TimeAdjust: 0
kernel: CIFS: fs/cifs/smb2pdu.c: Session Setup
kernel: CIFS: fs/cifs/smb2pdu.c: sess setup type 5
kernel: CIFS: fs/cifs/cifs_spnego.c: key description =
ver=0x2;host=nas.example.com;ip4=10.0.0.1;sec=krb5;uid=0x0;creduid=0x12D687;user=theUser;pid=0x82155
cifs.upcall[532824]: key description:
cifs.spnego;0;0;39010000;ver=0x2;host=nas.example.com;ip4=10.0.0.1;sec=krb5;uid=0x0;creduid=0x12D687;user=theUser;pid=0x82155
cifs.upcall[532824]: ver=2
cifs.upcall[532824]: host=nas.example.com
cifs.upcall[532824]: ip=10.0.0.1
cifs.upcall[532824]: sec=1
cifs.upcall[532824]: uid=0
cifs.upcall[532824]: creduid=1234567
cifs.upcall[532824]: user=theUser
cifs.upcall[532824]: pid=532821
cifs.upcall[532824]: get_cachename_from_process_env:
pathname=/proc/532821/environ
cifs.upcall[532824]: drop_all_capabilities: Unable to apply capability
set: Success
cifs.upcall[532824]: Exit status 1
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\nas.example.com Send error in SessSetup = -126
kernel: CIFS: fs/cifs/connect.c: VFS: leaving cifs_get_smb_ses (xid =
685) rc = -126
kernel: CIFS: fs/cifs/dfs_cache.c: __dfs_cache_find: search path:
\nas.example.com\theUser
kernel: CIFS: fs/cifs/dfs_cache.c: get_dfs_referral: get an DFS referral
for \nas.example.com\theUser
kernel: CIFS: fs/cifs/fscache.c: cifs_fscache_release_client_cookie:
(0x0000[...]8/0x00000[...]d)
kernel: CIFS: fs/cifs/connect.c: VFS: leaving mount_put_conns (xid =
684) rc = 0
kernel: CIFS: VFS: cifs_mount failed w/return code = -126